Enterprises need to boost web application security

By

Web application security - or lack of security because companies don't pay enough attention to protecting their internet applications -was a topic of debate at the Black Hat Briefings Thursday in Las Vegas.

Enterprises are still held up by not doing the basics correctly when developing web applications, said Paul Proctor, analyst at research firm META Group. "They're not even looking at security as part of the development lifecycle," he said.


Caleb Sima, CTO and co-founder of web application security provider SPI Dynamics, said the fundamental problem stems from the pressure placed on developers to meet deadlines and focus on features rather than security. Tools that assess the security of web applications can help identify a majority of vulnerabilities, he said.

"That assumes they use the tools properly," Proctor responded. Jerimiah Grossman, CEO of WhiteHat Security, said, "Running a tool on your site isn't necessarily due diligence," but Sima countered that it shows initiative on the part of the company to address the issue.

Assessment services, or penetration tests, are another system companies rely on for securing their web applications but companies often don't bring in consultants to perform security assessments until the application is already going live, panelists said. "It's always the last check mark they have," noted Frank Lam, senior manager, Deloitte & Touche.

Panelists agreed that developers need security training, but Sima said that many companies don't have the money or time to train all their developers. "The easiest way to train developers is to make it easier for them" to implement security, he added. Performing input validation on web applications can eliminate many vulnerabilities, he said.

Designing web applications securely from the start is key, Proctor said. The cost of fixing security flaws after an application is released is 60 times more than the cost of fixing it in development, he said.

 

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

University of Western Australia resets all staff and student passwords

University of Western Australia resets all staff and student passwords

"Shade BIOS" stealth malware hides below operating system

"Shade BIOS" stealth malware hides below operating system

Accenture to buy Australian cyber security firm CyberCX

Accenture to buy Australian cyber security firm CyberCX

Researchers poke further holes in TETRA encrypted wireless comms

Researchers poke further holes in TETRA encrypted wireless comms

Log In

  |  Forgot your password?